Purpose of the Post
· To perform and take ownership of Data Protection Impact Assessments (DPIAs) for a number of initiatives.
· The primary remit of this role will be completing security risk assessments for the programme, so as to support new feature implementations and/or additional Consumer System on-boarding activities.
· The DPIA Consultant will engage with both business and technical stakeholders, so as to ensure that the appropriate scope of the DPIAs is defined and understood, and in line with agreed overarching security goals and requirements.
· The role will also be responsible for identifying, describing and advising on the implementation of required controls, so as to mitigate the identified security risks.
Principal Duties & Responsibilities include:
- Completing initial project DPIAs and defining the associated risk-mitigation control requirements, including:
- Identifying the requirement for a DPIA.
- Deciding on methodology to be followed (e.g. ISO/IEC 27001 ISMS approach and 27002 Security Controls / NIST CSF / ISF / COBIT 5 / OCTAVE / ENISA / etc.).
- Describing the data processing involved.
- Assessing necessity and proportionality of data processing.
- Agreeing the risk categorisation and ratings that will be used.
- Performing the risk assessment (i.e. identify and assess risks).
- Categorising, ranking and recommending the development and/or implementation of appropriate risk-mitigation control measures, be they people / process / technology related (PPT).
- Reviewing the outputs of the risk assessment with key stakeholders for formal agreement, sign-off and recording of outcomes.
- Managing the implementation and/or integration of required controls back into project plan(s) and/or initiatives, based on the outcomes of both initial and on-going DPIA engagements.
- Ownership for on-going review of DPIAs for the Programme, so as to support new feature implementations and/or additional Consumer System on-boarding activities.
- Throughout DPIA process, consult individuals and other stakeholders as/when required.
Candidate must clearly demonstrate following criteria in the submission:
- Minimum of 6 months experience in helping to deliver technical projects in Ireland.
Qualifications and/ or Experience
- Minimum of 5 years working in security consulting roles.
- Direct experience in, and/or knowledge of, all of the following:
- Completing security risk assessments as part of large-scale IT programmes and projects.
- Delivering Data Privacy Impact Assessments (DPIAs), as per EU GDPR and requirements.
- Implementing security risk assessment and controls frameworks (e.g. ISO/IEC 27001 ISMS and 27002 Security Controls / NIST CSF / ISF Cyber / COBIT 5 / OCTAVE / ENISA / etc.).
- Globally-recognised security standards (e.g. ISO / NIST / CIS / etc.)
- Data privacy legislation (DPAs 1988 - 2003 and 2018) and information governance standards.
- Extensive security architecture experience and knowledge.
- Direct experience of two or more of the following:
- Skilled in documenting solution and/or technical design.
- Strong background in:
- IT and information security.
- General systems architecture and infrastructure design.
o Software development and project lifecycle (e.g. secure SDLC guidelines / OWASP "Top 10" - both Web and API / WASC "Top 25" / CWE "Top 25").
o Information Security Testing and Assessment (e.g. OSSTMM / NIST SP 800-115).
- SANS CIS "Top 20" CSCs.
- Systems and application security hardening to globally-recognised standards (e.g. CIS L1 and L2 Benchmarks / SANS SCORE / NIST SP 800-123).
- Strong knowledge of all OSI layers and the available technology and/or solution stacks implemented therein.
- PKI Models (in-house / hybrid / Cloud).
Desirable Skills, Competencies and/or Knowledge
- Experience of managing relations with senior stakeholders including both internal and external entities.
- Understanding of, and practical experience of applying, the DPA, the FOI and other related legislation, standards and codes of practice.
- Good working knowledge of information risk analysis and vulnerability life-cycle management.
- Strong team player with excellent interpersonal, collaboration and communication skills.
PFH is a premier provider of end-to-end ICT solutions and a managed services portfolio scaling from SMEs to large Enterprise organisations. We have unrivalled vendor relationships. We can procure, design, deploy and support all your ICT needs. Our ISO 20000/27001 24*7 certified Custodian™ Cloud Services and Custodian™ Managed Services provide the technology and expertise to mitigate risk and reduce your costs immediately. We have a nationwide network of over 450 dedicated professionals, including over 350 qualified engineers, ready to meet your ICT needs, with offices in Dublin, Cork and Galway.